There has been various supply chain attacks in upstream project via workflows which automatically use latest version of the build dependencies.

So instead having

      - uses: actions/checkout@v5

      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0

maybe instead doing this always per hand, a simple script which would be great, which has
a input file

the config file should be under .github and in yaml format .github/action-versions.yaml

 actions/checkout: 08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
 actions/upload-artifact: [ref]  #v5.0.0

the script should be in ./scripts/update-workflows.sh and should have two commands.

• The first command update-version: this is to update the action-versions.yaml
• The second command update-workflows: this updates the workflows with the versions from action-version.yaml